CODEWITHSUNDEEP
javaazure-active-directoryazure-blob-storage
Daniel Cosio
Daniel Cosio

Reputation: 293

Azure identity access to blob storage

I'm having an issue with permissions accessing my azure blob storage.

My application is sitting outside Azure and is going to acces Azure Blob storage to get the files.

I've registered the app in Azure AD and have a secret key. The secret expired in 1 yr.

I have set up the environment variables AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID.

    BlobServiceClient storageClient = new BlobServiceClientBuilder()
                                     .endpoint("https://myaccount.blob.core.windows.net")
                                     .credential(newDefaultAzureCredentialBuilder().build())
                                     .buildClient();
     
    BlobContainerClient blobContainerClient =  storageClient.getBlobContainerClient("mycontainer");
    BlobClient blobClient = blobContainerClient.getBlobClient("Sample.pdf");
    File destinationDir = new File("/somedir/");
    File downloadedFile = new File(destinationDir, "Sample.pdf");
    
    blobClient.downloadToFile(downloadedFile.getAbsolutePath(),true);

When trying to download I'm getting:

   <Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform 
    this operation using this permission.
    RequestId:f0c2de14-401e-0050-0bfd-6f97ad000000
    Time:2020-08-11T16:34:29.1943093Z</Message></Error>"

I'll admit I'm now confused. Do I need to get a token first. I assumed I had everything since the examples were pretty explicit, but searching around I'm seeing references to getting a token and some not..

I also tried using SAS and I'm getting the same issue. I have Storage Blob Data Contributor set for my account.

Here is an example of the connection using SAS

     BlobServiceClient storageClient = new BlobServiceClientBuilder()                        
               .endpoint("https://mystorageaccount.blob.core.windows.net/?sv=2019- 
               12-12&ss=b&srt=c&sp=rlx&se=2020-08-12T22:37:28Z&st=2020-08- 
                12T14:37:28Z&spr=https&sig=<mysig>")    
                 .buildClient();
         
        BlobContainerClient blobContainerClient =  
                    storageClient.getBlobContainerClient("mycontainer");
        BlobClient blobClient = 
                   blobContainerClient.getBlobClient("Sample.pdf");
        File destinationDir = new File("/mydir");
        File downloadedFile = new File(destinationDir, "Sample.pdf");
        
        blobClient.downloadToFile(downloadedFile.getAbsolutePath(),true);

Upvotes: 1

Views: 1255

Answers (2)

Daniel Cosio
Daniel Cosio

Reputation: 293

So all the code is correct. I spoke with MS Azure support. I missed setting the application permission. I had set my username permission by mistake.. As usual, a simple fix

So now using both secretKey and SAS work

Upvotes: 0

Allen Wu
Allen Wu

Reputation: 16458

You should assign the Blob Storage Contributor Role to the service principal associated with your Azure AD app.

enter image description here

UPDATE:

Not sure why Authenticate with Azure Identity doesn't work for you.

But if you use sasToken, make sure you have the enough permissions.

enter image description here

Please refer to my code:

    BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
            .endpoint("https://allen3545635.blob.core.windows.net/")
            .sasToken("sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-08-13T15:18:15Z&st=2020-08-13T07:18:15Z&spr=https&sig=XXX")
            .buildClient();

Remember to remove the "?" at the beginning of sasToken which is generated on Azure portal.

Upvotes: 1

Related Questions